Develop Bugs

Magisk works!! [+ POC boot.img for 3/19/18 LOS 14.1]

Please also read the additional notes in post #2, as they are critical to getting Magisk working.
I decided to do some tinkering around with Magisk, and it actually DOES work on the kindles (at least the 8.9"). The problem is, Magisk's patcher just isolates the ramdisk part of the boot.img and doesn't add the boot signature or other magic back to the image when it's time to reflash the patched boot image. By dd'ing the signature (and other files) back to the image, I can get Magisk to successfully boot.
As part of the working POC (because it's exciting to actually see this!), I've uploaded the patched "Magiskified" boot image (which originally comes from the 20180319 LineageOS 14.1 ROM that was built about a week ago). For reference, this is patched by Magisk v16.0, and the setup is basically the same as the official boot.img makefile directions from CM12.1. (It was the most arbitrary source I found, and I doubt the magic used to create the boot images has changed, so I'm just using that script as a reference.) Try to stick to that ROM if you can - no telling what different ROM versions/variants might do if you're not careful.
I plan on releasing a flashable .zip soon (probably in a month? I have college to work through) to automate the patching process, and possibly even extract the official installer zips to work through Magisk's patching scripts manually so the required boot magic can be patched back into the image before it's ever flashed. (I'll try to take requests to manually patch other ROM boot.imgs if asked to in the meantime though.)
As a friendly reminder, please do NOT flash the official Magisk installer zips or any patched boot images that the app produces as is - they need to be "repatched" with the boot magic, or you'll have to fastboot flash your ROM's boot.img manually because the kindle will hang at the bootloader screen.

Important notes
The official Magisk v16.0 zip must be flashed on first install/reinstall in order to properly construct the environment. Flash the boot image attached in the OP immediately after without rebooting in between, or the image Magisk flashed will prevent the kindle from booting normally without advanced intervention.
SafetyNet does NOT pass the basic integrity OR advanced checks. At least, v16 doesn't. Maybe an earlier Magisk build does - feel free to try it once I get the automated patcher zip up and running.
For now, because you're flashing on LineageOS, you may want to flash the LOS 14.1 arm-based su removal zip from Lineage's downloads site. Verify you're downloading arm and not arm64.

How does one go about patching the boot image thats modified by magisk so it's able to be flashed?

kn0wbodh1 said:
How does one go about patching the boot image thats modified by magisk so it's able to be flashed?
Click to expand...
Click to collapse
It's complicated. I recommend not doing this unless you're willing to follow it to the letter - when I get to creating the automated patcher, this won't be necessary.
Make backups!!
extract the boot.img from your ROM .zip, copy it to the device internal storage
install the Magisk Manager app, download the Magisk .zip and choose "patch boot image"; navigate to said boot image file
copy the modified image to a computer (preferably one running a Linux OS like Ubuntu)
download the boot_cert and u-boot.bin files from the official LineageOS/CM device repo; place these files in the same directory as the boot.img file
open a Linux terminal pointed to the same directory as the boot.img file
run for i in $(seq 1024); do echo -ne "\x00\x50\x7c\x80" >> stack.tmp; done to create the remaining file
run cat boot_cert patched_boot.img > boot.img (assuming the Magisk image produced is named patched_boot.img); this is the boot "signature"
run dd if=u-boot.img of=boot.img bs=8117072 seek=1 conv=notrunc to tag the second bootloader on
finally, run dd if=stack.tmp of=boot.img bs=6519488 seek=1 conv=notrunc to add the stack file; copy the new boot.img back to the kindle
reboot into recovery, flash the Magisk .zip to build the environment, but do NOT reboot yet
choose "Flash .img" within TWRP, select the boot.img, and select "Boot" to flash to the boot partition; reboot to system once complete
profit!

monster1612 said:
It's complicated. I recommend not doing this unless you're willing to follow it to the letter - when I get to creating the automated patcher, this won't be necessary.
Make backups!!
extract the boot.img from your ROM .zip, copy it to the device internal storage
install the Magisk Manager app, download the Magisk .zip and choose "patch boot image"; navigate to said boot image file
copy the modified image to a computer (preferably one running a Linux OS like Ubuntu)
download the boot_cert and u-boot.bin files from the official LineageOS/CM device repo; place these files in the same directory as the boot.img file
open a Linux terminal pointed to the same directory as the boot.img file
run for i in $(seq 1024); do echo -ne "\x00\x50\x7c\x80" >> stack.tmp; done to create the remaining file
run cat boot_cert patched_boot.img > boot.img (assuming the Magisk image produced is named patched_boot.img); this is the boot "signature"
run dd if=u-boot.img of=boot.img bs=8117072 seek=1 conv=notrunc to tag the second bootloader on
finally, run dd if=stack.tmp of=boot.img bs=6519488 seek=1 conv=notrunc to add the stack file; copy the new boot.img back to the kindle
reboot into recovery, flash the Magisk .zip to build the environment, but do NOT reboot yet
choose "Flash .img" within TWRP, select the boot.img, and select "Boot" to flash to the boot partition; reboot to system once complete
profit!
Click to expand...
Click to collapse
Thank you very much for the detailed instructions. I'll be keeping an eye out for the automated patcher you mentioned. Would love to try out magisk on my 2015 fire.

kn0wbodh1 said:
Thank you very much for the detailed instructions. I'll be keeping an eye out for the automated patcher you mentioned. Would love to try out magisk on my 2015 fire.
Click to expand...
Click to collapse
The instructions only work against the 2012 fire (HD 8.9", 2nd generation). They will more than likely brick any other device. I don't recommend trying the instructions unless you're 100% sure your device is that specific model.

Hi, a month ago i flashed oifficial magisk 16 zip on a 8.9 kindle fire hd, and as you said, dont boot anymore, just satys on the kindle fire logo, please can you tell me how can i restore my device?, i havent used it in almost 3 years and i dont have a clue on what to do, i just wanted to install viper4android and now is dead.

erick_gc said:
Hi, a month ago i flashed oifficial magisk 16 zip on a 8.9 kindle fire hd, and as you said, dont boot anymore, just satys on the kindle fire logo, please can you tell me how can i restore my device?, i havent used it in almost 3 years and i dont have a clue on what to do, i just wanted to install viper4android and now is dead.
Click to expand...
Click to collapse
https://forum.xda-developers.com/showthread.php?t=2128848&p=75525760
I know it's not for the 8.9" but I was able to get my 7" working by repeating the procedure in step 5. Magisk messes up the kernel on the Kindle so all you have to do is reflash the kernel. You'll need a fastboot cable to get in fastboot mode though.
Take a look at the few posts before the one I linked to.

just wondering if you've had any luck with the flashable zip for magisk? Not confident enough to try it manually. Thanks in advance.
monster1612 said:
Please also read the additional notes in post #2, as they are critical to getting Magisk working.
I decided to do some tinkering around with Magisk, and it actually DOES work on the kindles (at least the 8.9"). The problem is, Magisk's patcher just isolates the ramdisk part of the boot.img and doesn't add the boot signature or other magic back to the image when it's time to reflash the patched boot image. By dd'ing the signature (and other files) back to the image, I can get Magisk to successfully boot.
As part of the working POC (because it's exciting to actually see this!), I've uploaded the patched "Magiskified" boot image (which originally comes from the 20180319 LineageOS 14.1 ROM that was built about a week ago). For reference, this is patched by Magisk v16.0, and the setup is basically the same as the official boot.img makefile directions from CM12.1. (It was the most arbitrary source I found, and I doubt the magic used to create the boot images has changed, so I'm just using that script as a reference.) Try to stick to that ROM if you can - no telling what different ROM versions/variants might do if you're not careful.
I plan on releasing a flashable .zip soon (probably in a month? I have college to work through) to automate the patching process, and possibly even extract the official installer zips to work through Magisk's patching scripts manually so the required boot magic can be patched back into the image before it's ever flashed. (I'll try to take requests to manually patch other ROM boot.imgs if asked to in the meantime though.)
As a friendly reminder, please do NOT flash the official Magisk installer zips or any patched boot images that the app produces as is - they need to be "repatched" with the boot magic, or you'll have to fastboot flash your ROM's boot.img manually because the kindle will hang at the bootloader screen.
Click to expand...
Click to collapse

barcia99 said:
just wondering if you've had any luck with the flashable zip for magisk? Not confident enough to try it manually. Thanks in advance.
Click to expand...
Click to collapse
You can't directly flash the official installer zips onto the Kindle - they currently bork the boot image "signature" (causing the bootloader exploit to break) and require reflashing the boot image from your ROM via fastboot to get things working again.
What I've thought of is adding some device detection logic to the installer script and then having it run through the process of properly repatching the boot image after the main Magisk install finishes in order to get things to work (as opposed to having a supplementary zip file work through that after an official build is flashed).
I forked the official Magisk repo a while ago and honestly forgot about it, but since v17 hit stable since then, I'm going to rebase those proposed changes against that version. No ETA on that as of yet - I've started back at college, so time is already kind of a rarity; in addition, given the age of the Kindles already (5+ years!), it may not be a thing to sustain long term. I still have my 8.9", so testing isn't an issue, but I don't expect Magisk running on these specific devices to function as expected (so more than likely SafetyNet will fall, probably Magisk Hide as well). I'm not 100% sure how it'll turn out, but these are pretty much going to be unofficial builds for as long as I/anyone else willing to run builds sees a benefit to doing so. When a build works to my satisfaction, I promise it'll go up on XDA.

monster1612 said:
You can't directly flash the official installer zips onto the Kindle - they currently bork the boot image "signature" (causing the bootloader exploit to break) and require reflashing the boot image from your ROM via fastboot to get things working again.
What I've thought of is adding some device detection logic to the installer script and then having it run through the process of properly repatching the boot image after the main Magisk install finishes in order to get things to work (as opposed to having a supplementary zip file work through that after an official build is flashed).
I forked the official Magisk repo a while ago and honestly forgot about it, but since v17 hit stable since then, I'm going to rebase those proposed changes against that version. No ETA on that as of yet - I've started back at college, so time is already kind of a rarity; in addition, given the age of the Kindles already (5+ years!), it may not be a thing to sustain long term. I still have my 8.9", so testing isn't an issue, but I don't expect Magisk running on these specific devices to function as expected (so more than likely SafetyNet will fall, probably Magisk Hide as well). I'm not 100% sure how it'll turn out, but these are pretty much going to be unofficial builds for as long as I/anyone else willing to run builds sees a benefit to doing so. When a build works to my satisfaction, I promise it'll go up on XDA.
Click to expand...
Click to collapse
thank's much. i'll continue to do some research also. i've had this kindle since it came out and remains stable with root and twrp. runs smooth and just plain like it. only negative is no sd card slot. again thanks for your hard work.

Hoping for the automated package
Here's hoping you get time to finish the automated flash package. I am not confident enough to attempt this even with your detailed instructions.
monster1612 said:
You can't directly flash the official installer zips onto the Kindle - they currently bork the boot image "signature" (causing the bootloader exploit to break) and require reflashing the boot image from your ROM via fastboot to get things working again.
What I've thought of is adding some device detection logic to the installer script and then having it run through the process of properly repatching the boot image after the main Magisk install finishes in order to get things to work (as opposed to having a supplementary zip file work through that after an official build is flashed).
I forked the official Magisk repo a while ago and honestly forgot about it, but since v17 hit stable since then, I'm going to rebase those proposed changes against that version. No ETA on that as of yet - I've started back at college, so time is already kind of a rarity; in addition, given the age of the Kindles already (5+ years!), it may not be a thing to sustain long term. I still have my 8.9", so testing isn't an issue, but I don't expect Magisk running on these specific devices to function as expected (so more than likely SafetyNet will fall, probably Magisk Hide as well). I'm not 100% sure how it'll turn out, but these are pretty much going to be unofficial builds for as long as I/anyone else willing to run builds sees a benefit to doing so. When a build works to my satisfaction, I promise it'll go up on XDA.
Click to expand...
Click to collapse

Successfully patched the boot image and installed magisk 18 and installed some modules and they work

Trey n said:
Successfully patched the boot image and installed magisk 18 and installed some modules and they work
Click to expand...
Click to collapse
Great! Will you post the boot image? What modules have you tried? Is Wifi, Bluetooth, and LTE working?

kgiesselman said:
Great! Will you post the boot image? What modules have you tried? Is Wifi, Bluetooth, and LTE working?
Click to expand...
Click to collapse
took me a while but also finally got it all working. Thanks for this guide. It may help us in the 7, 8 and 10 tablets. I also note my Jem is currently on CM13

monster1612 said:
It's complicated. I recommend not doing this unless you're willing to follow it to the letter - when I get to creating the automated patcher, this won't be necessary.
Make backups!!
extract the boot.img from your ROM .zip, copy it to the device internal storage
install the Magisk Manager app, download the Magisk .zip and choose "patch boot image"; navigate to said boot image file
copy the modified image to a computer (preferably one running a Linux OS like Ubuntu)
download the boot_cert and u-boot.bin files from the official LineageOS/CM device repo; place these files in the same directory as the boot.img file
open a Linux terminal pointed to the same directory as the boot.img file
run for i in $(seq 1024); do echo -ne "\x00\x50\x7c\x80" >> stack.tmp; done to create the remaining file
run cat boot_cert patched_boot.img > boot.img (assuming the Magisk image produced is named patched_boot.img); this is the boot "signature"
run dd if=u-boot.img of=boot.img bs=8117072 seek=1 conv=notrunc to tag the second bootloader on
finally, run dd if=stack.tmp of=boot.img bs=6519488 seek=1 conv=notrunc to add the stack file; copy the new boot.img back to the kindle
reboot into recovery, flash the Magisk .zip to build the environment, but do NOT reboot yet
choose "Flash .img" within TWRP, select the boot.img, and select "Boot" to flash to the boot partition; reboot to system once complete
profit!
Click to expand...
Click to collapse
This works on the Kindle Fire HD 7 as well, just use the files from the Tate repository.

Devo7v said:
https://forum.xda-developers.com/showthread.php?t=2128848&p=75525760
I know it's not for the 8.9" but I was able to get my 7" working by repeating the procedure in step 5. Magisk messes up the kernel on the Kindle so all you have to do is reflash the kernel. You'll need a fastboot cable to get in fastboot mode though.
Take a look at the few posts before the one I linked to.
Click to expand...
Click to collapse
I also have the same issue, but I'm confused as to your referencing for Step 5, because the guide says specifically not to flash the freedom-boot image if you already have a custom ROM present. Can you reiterate on what to do, please, or can I ignore this warning?

BrianSamsungTab said:
I also have the same issue, but I'm confused as to your referencing for Step 5, because the guide says specifically not to flash the freedom-boot image if you already have a custom ROM present. Can you reiterate on what to do, please, or can I ignore this warning?
Click to expand...
Click to collapse
I reflashed the freedom-boot and got everything working properly. It's been a few months so I don't remember if i had to continue anything when it finally booted, but I do know that I didn't lose any data. I still don't know if you need to flash freedom-boot, but it works if you do.

a little late to the party but-
i recently made the mistake of installing magisk and it put the kindle in a bootloop. is there a way to push the stock boot.img with this method or is that too quick and dirty
any advice is appreciated. im tempted to just do a full wipe via the stock recovery but if theres a more surgical method id go for it. i also have a linux debian machine available.

How To Guide How to extract image collection from rom releases (and root the boot image and apply root to the phone)

1. To extract the image collection from your downloaded rom :
Download Payload Dumper from here (It's a zip file but it's not flashable) to your computer
Extract the zip file to a folder, make it a folder you can use regularly because this is the default tool you would use from now on
Download the rom version you want to root
Unzip the rom to a folder, you will find a file within it called payload.bin
Copy and paste that file into the "payload_input" folder within the Payload Dumper folder you created
Execute the payload_dumper.exe file within Payload Dumper folder, you will not have to specify any options as it always extracts from any payload.bin file in payload_input and outputs the image files to payload_output.
Leave the extraction to be completed, the program will automatically close itself once it's completed
Your extracted .img files will be shown within the payload_output folder
2. If you need to root the boot image you extracted :
Copy the boot.img file from the payload_output folder to a folder on your phone storage (Best to name it appropriately if you will be doing this regularly)
Download and Install the latest Magisk apk from the release site (Accept any prompt to allow install from external source)
Launch the app and then choose Install under the top "Magisk" section
Choose Select and Patch a File then browse to where you copied the boot.img on your storage
Magisk will then apply root to the boot image you specified, Your rooted image file will be output to your phone's Download folder : /sdcard/Download
You don't need to keep the default filename of the rooted image file so you can rename it appropriately for the rom version after you copy it to your computer, just ensure to keep the .img file extension
If you rename the rooted boot image, try not to use spaces in the filename, rather use _ or - as spaces make it more difficult to use in a command window although when you start typing the filename you can use TAB to autocomplete it, always ensure the filename shows .img as the extension and at the end of any commandline
3. If you need to use your rooted boot image to apply root to your phone :
Install the drivers from the mounted drive you should get when connecting the phone to your computer
On Windows you should then have a folder in C:\Program Files (x86)\OnePlus USB Drivers\Android with the platform tools (ADB.exe and Fastboot.exe) you will need, you can obviously copy the content from that folder somewhere else if you wish.
Connect your phone to your computer
Copy your rooted boot image to the folder that has adb.exe and fastboot.exe
Open a command window on your computer by right clicking in that folder and choosing Open command window here
In the command window, Type or copy/paste the command ADB devices and press enter
If you see a prompt on your phone to allow the computer connection then accept it, better still, tell it to allow from now on also.
You should see a string of characters shown in the command window, if you don't see that, then try another cable or re-install your drivers and reboot the computer.
Reboot your phone into Fastboot either by using ADB on your computer ( ADB Reboot Fastboot ) or by enabling Advanced reboot in your developer options in settings and then hold down the power button and use the 3 dot menu on the top right and choosing "Bootloader"
In the command window type Fastboot Boot <filename.img> i.e. Fastboot Boot rooted_boot.img and press enter
You should see a couple of lines in the command window telling you it's copying over to the phone, don't worry it's not being flashed or replacing your existing installed boot image
The phone should then restart and boot using the image from your computer, it will be a slightly slower boot than usual, your existing unlock method should still work
Launch the Magisk app, it should already have root access because the boot image you've used is already rooted
Go to Install under the top Magisk section
Choose Direct Install (Recommended)
Magisk will then apply root access to the boot image on the actual phone
You will be prompted to reboot the phone on the bottom right, do this to complete the process
You don't need the phone connected to your computer anymore as the installed boot image on the phone should now have root access
You can check for root either using any app which requires root or by using an app like Root Checker
Remember to empty the contents of payload_input and payload_output once you have finished, leaving them ready for any future rom versions
4. To retain root access after ROM/OTA update :
Install the update either from Oxygen Updater or from Settings > System > System updates
DO NOT REBOOT when prompted
Go to the Magisk app
Go to Install under the top Magisk section
Choose Install to Inactive Slot (After OTA)
Magisk will apply root to the newly installed boot image for the next version
Reboot when prompted by the Magisk app
The phone should reboot into the updated version with root already applied

Very nice write up! Hopefully many will read this and follow instructions. Too many threads being created with issues because they never bother to read.

Quick question as this is my first OnePlus device.
Will I lose root after a system update and will have to it all over again?

Levi4cyber said:
Quick question as this is my first OnePlus device.
Will I lose root after a system update and will have to it all over again?
Click to expand...
Click to collapse
Just added a new section to my original post for this.

Does flashing magisk change anything in encryption?
Does it wipe anything?

How do I get my ROM to extract the boot img?

Levi4cyber said:
Does flashing magisk change anything in encryption?
Does it wipe anything?
Click to expand...
Click to collapse
No and No

Levi4cyber said:
How do I get my ROM to extract the boot img?
Click to expand...
Click to collapse
Read the first post.

djsubterrain said:
Read the first post.
Click to expand...
Click to collapse
I'm asking where to get my ROM file, in order I should be able to extract the boot img?
A link? Somewhere on my phone?

Levi4cyber said:
I'm asking where to get my ROM file, in order I should be able to extract the boot img?
A link? Somewhere on my phone?
Click to expand...
Click to collapse
It's pinned at the top of the entire forum :
[OnePlus 9 Pro][ROM][OTA][Oxygen OS] Repo of Oxygen OS Builds
As OnePlus doesn't always provide download links for all of their OxygenOS ROMs & OTA update zips, we've created an index to put the links in one post so that they're easy to find. Note: This is not a support thread for issues you may have with...
forum.xda-developers.com
They're also posted on OnePlus's site (eventually) :
Software Upgrade - OnePlus.com
Get the latest OxygenOS updates for your device.OxygenOS is always evolving. Learn about the latest features and improvements, and get even more out of your device.
www.oneplus.com
Make sure the version matches the one you're using

I updated to latest version 11.2.4.4.LE15AA
Since there's nowhere to download the OTA package and extract the boot img, can I use the boot img of a lower version - 11.2.2.2 ?

Levi4cyber said:
I updated to latest version 11.2.4.4.LE15AA
Since there's nowhere to download the OTA package and extract the boot img, can I use the boot img of a lower version - 11.2.2.2 ?
Click to expand...
Click to collapse
No, definitely not.
Try Oxygen Updater in advanced mode, it should let you download the full rom.
If you were already rooted though, you should've been able to retain it by following the last section in my original post.
If not, then follow the first 2 sections

djsubterrain said:
No, definitely not.
Try Oxygen Updater in advanced mode, it should let you download the full rom
Click to expand...
Click to collapse
Since I'm completely new to OP, is Oxygen updater an app (if yes, is it this; https://play.google.com/store/apps/details?id=com.arjanvlek.oxygenupdater)? Or is it built into the phone?

Levi4cyber said:
Since I'm completely new to OP, is Oxygen updater an app (if yes, is it this; https://play.google.com/store/apps/details?id=com.arjanvlek.oxygenupdater)? Or is it built into the phone?
Click to expand...
Click to collapse
I've linked it, it's not a default app

djsubterrain said:
No, definitely not.
Try Oxygen Updater in advanced mode, it should let you download the full rom.
If you were already rooted though, you should've been able to retain it by following the last section in my original post.
If not, then follow the first 2 sections
Click to expand...
Click to collapse
In the oxygen updater app, if I select "full update" in update method it only gives me version 11.2.2.2., if I select "incremental update", it lets me download 11.2.4.4, and when I unzipped it I have a file payload.bin (it's only 105MB).
Should I use that? Or do I need a full OTA package to extract the boot IMG?

Levi4cyber said:
In the oxygen updater app, if I select "full update" in update method it only gives me version 11.2.2.2., if I select "incremental update", it lets me download 11.2.4.4, and when I unzipped it I have a file payload.bin (it's only 105MB).
Should I use that? Or do I need a full OTA package to extract the boot IMG?
Click to expand...
Click to collapse
Are you choosing the correct OnePlus 9 Pro? It'll show you different variants under the model lookup.
To be honest, If I get the update pushed via OnePlus I always copy/paste it somewhere else cos I think it gets deleted once the upgrade is done.
If you extract the payload.bin and it shows a boot.img then that should suffice. I think it should be around 105MB (I'm on my work PC at the moment so can't check)

Thanks. I'm on the T-Mobile version of the OnePlus 9 Pro, technically my phone is currently on "11.2.2.2.LE5ACB" and the one on OnePlus's support site is "11.2.2.2.LE15AA". I'm not sure the difference but I assume T-Mobile bloatware. Hopefully they didn't do anything else to make the phone work "slightly better" on their network.
I'm not sure if the boot.img I extracted from 11.2.2.2.LE15AA will work with my currently-installed "11.2.2.2.LE5ACB"; any ideas?
Might be better to create a boot.img from my existing version and patch that. Do you know the dd command for me to just create the boot.img from my existing partition? In the past with other phones I've done something like "dd if=/dev/block/mmcblk0 of=/storage/sdcard1/boot.img bs=4096 count=4096 skip=7552" or "dd if=/dev/block/bootdevice/by-name/boot of=boot.img" but I don't know which partition on the OnePlus 9 Pro to image. Any ideas?
--- Update 1 ---
Code:
OnePlus9ProTMO:/ $ ls -l /dev/block/bootdevice/by-name/*boot*
lrwxrwxrwx 1 root root 16 1970-01-20 02:38 /dev/block/bootdevice/by-name/boot_a -> /dev/block/sde16
lrwxrwxrwx 1 root root 16 1970-01-20 02:38 /dev/block/bootdevice/by-name/boot_b -> /dev/block/sde43
lrwxrwxrwx 1 root root 16 1970-01-20 02:38 /dev/block/bootdevice/by-name/vendor_boot_a -> /dev/block/sde28
lrwxrwxrwx 1 root root 16 1970-01-20 02:38 /dev/block/bootdevice/by-name/vendor_boot_b -> /dev/block/sde55
lrwxrwxrwx 1 root root 16 1970-01-20 02:38 /dev/block/bootdevice/by-name/vm-bootsys_a -> /dev/block/sde24
lrwxrwxrwx 1 root root 16 1970-01-20 02:38 /dev/block/bootdevice/by-name/vm-bootsys_b -> /dev/block/sde51
Then looking at my active mounts I saw this:
Code:
OnePlus9ProTMO:/ $ mount | egrep "sde16|sde43|sde28|sde55|sde24|sde51"
/dev/block/sde51 on /vendor/vm-system type ext4 (ro,seclabel,nosuid,nodev,relatime)
Which indicates that I'm on the "b" side. So I would want to create a boot.img from `/dev/block/bootdevice/by-name/vendor_boot_b` potentially. So this command "should" work, right?
Code:
dd if=/dev/block/bootdevice/by-name/vendor_boot_b of=/sdcard/Download/stock_boot.img
I might try that instead of the boot.img I extracted from 11.2.2.2.LE5ACB since it doesn't technically line up with the T-Mobile supplied ROM version.
--- Update 2 ---
Yeah, that didn't work.Turns out dd needs to be elevated to do its thing. Got a "Permission denied" when i tried to create the image. So yeah, ironically I need root to run said command and that's why I was trying to run the command, to get the boot.img to root. lol. oh well.

Thank you very detailed.

When I click on the payload_pumper.exe file, the cmd window flashes and nothing else happens.

glitchsys said:
Turns out dd needs to be elevated to do its thing.
Click to expand...
Click to collapse
Try watching this, man, I think this is exactly what you are missing:
Code:
https://www.youtube.com/watch?v=DyUainEJwLM

Root guide (updated)

==== READ THIS POST BEFORE ROOTING ====​https://www.reddit.com/r/surfaceduo/comments/wn5joi/a_warning_to_wouldbe_developers_and_hobbyist/
(ORIGINAL GUIDE BELOW)​Since the last guy hasn't been updating his op, I figured I'd start a fresh thread with what we know and what to do for newcomers.
I will not be posting patched boot images in this thread, I'm a firm believer of "give you steps to follow from the top so you know what's going on and can do this yourself in the future". The more hands we have in the kitchen, the more we learn, and the better we are off as a community.
Walkthroughs for both fresh rooting and updating while rooted are both below:
==== FRESH ROOT ====​
0. make sure USB debugging is on in settings > developer options
0. make sure the phone's bootloader is actually unlocked, if the below doesn't work, back up all the data on your phone because we're about to wipe it
Code:
.\fastboot.exe flashing unlock
.\fastboot.exe flashing unlock_critical
I did both, but it might only require one of the two, if you only did one and it doesn't work you may not be fully unlocked and might have to do the other. Both of these commands from the bootloader will factory reset your phone. if you've already done this, go to step 1.
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing and used in the below examples)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
6a. if you don't have python, get it from ninite https://ninite.com/pythonx3/ and go back to step 5/6 and try again, you will likely also need to do a "pip install protobuf" to get the required python libraries for payload-dumper
7. download the latest version of magisk manager (the new magisk app may work, but I've not tested it, this is the exact version I am using on the exact phone you are using. If you feel like trying the app please report in the thread below!) https://github.com/topjohnwu/Magisk/releases/download/manager-v8.0.7/MagiskManager-v8.0.7.apk
8. install magisk manager on your phone
9. make a text file, I called mine magisk_channel.txt and put this in it
Code:
https://raw.githubusercontent.com/Lethany/magisk_files/0755a7d5f596dc2a351270120b31b665fb561294/stable.json
this is the "custom" channel we are using to force an older version of magisk that doesn't choke on our device like newer versions do.
10. use usb data transfer mode to copy the boot.img file we extracted from step 6 and the text file we created in step 8 to your phone's internal storage, I have a folder on the root of the internal storage directory called Z_Phone, but anywhere is fine as long as you know where it is and remember it later.
11. in magisk manager, click the gear in the top right and then select "update channel" > "custom channel"
12. use your duo's dank duo mode to open a file browser on the other screen, open the text file we made in step 9
13. copy and paste the custom channel text into the custom channel field under update channel in magisk so it has the text from step 9 in it. (the text file just saves us typing it out by hand)
14. go back to the magisk main screen, and click install next to "magisk"
14b. click next
14c. click "select and patch a zip file"
14d. browse to the location we uploaded boot.img to in step 9 and select boot.img
14e. click let's go
(this will create the patched boot.img, it'll be named magisk_patched_[some garbage].img)
15. open the internal storage on your PC again, and go to your phone's "downloads" folder, it'll have that patched boot.img (if you've tried this a bunch of times and don't remember which one we just made, feel free to delete all the old ones and do 14-14e again) copy this patched_boot.img to your computer, I just put it in that same folder as step 4
16. in powershell, cd back to that same working folder we've been using and run
Code:
.\adb.exe reboot bootloader
The phone will reboot to the bootloader and we can now try booting the patched image
16. in powershell, run
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
17. if your phone boots, that's a great sign and we're out of the woods, nothing else will probably go wrong from here, if it doesn't boot factory reset your phone and start at step 0.
18. open an adb shell prompt and make our boot partitions writable with the below 4 lines, run one by one. Right now we're "rooted" but we've booted off an image over usb, what we really want is to boot off the images on your phone so we need to.
Code:
.\adb.exe shell
su
chmod 777 /dev/block/by-name/boot_a
chmod 777 /dev/block/by-name/boot_b
19. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
20. reboot your phone via the power button menu and if all went well, you're now rooted!
==== UPDATE WHILE ROOTED ====​
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
7. boot off of your old magisk patched boot image
Code:
.\adb.exe reboot bootloader
.\fastboot.exe boot ..\[LAST VERSION'S FOLDER]\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
8. write the old, unpatched boot partition to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_b
(my unpatched boot image is in a folder called "Z_Phone" and my unpatched image in this example is called "boot.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/boot of=/dev/block/by-name/boot_b
)
9. reboot
10. run the OTA update on your now freshly stock phone
11. use magisk to patch the new boot image same as in the first root instructions (14a-14e)
12. copy this patched image off of the phone and into our working directory. leave a copy of this on the phone (I put it in my Z_Phone folder)
13. reboot to bootloader (in powershell, in that same working folder we've been using run)
Code:
.\adb.exe reboot bootloader
14. Boot your phone using the patched boot image (in powershell, run)
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
15. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
16. reboot and you're updated and rooted!

special thanks to Perseu5 and his original thread!
Unlocking Bootloader/ Magisk Attempt
MAGISK FULL GUIDE (APK for install and other mods coming soon!) The bootloader unlock is pretty similar to any other phone. Go to settings>about> click on build number until developer options are enabled. Go back and select system>Developer...
forum.xda-developers.com

Nice work!

NTchrist said:
special thanks to Perseu5 and his original thread!
Unlocking Bootloader/ Magisk Attempt
MAGISK FULL GUIDE (APK for install and other mods coming soon!) The bootloader unlock is pretty similar to any other phone. Go to settings>about> click on build number until developer options are enabled. Go back and select system>Developer...
forum.xda-developers.com
Click to expand...
Click to collapse
my magisk still shows that theres an update pending for the framework. when i try to patch the stock boot or the custom, it doesnt boot past the windows logo. im guessing the update is for Magisk 21+?

LocBox said:
my magisk still shows that theres an update pending for the framework. when i try to patch the stock boot or the custom, it doesnt boot past the windows logo. im guessing the update is for Magisk 21+?
Click to expand...
Click to collapse
Magisk updates are based on the git channel it's fed. Best guess is you don't have the same git repo as in the guide. If you feed it a repo link to a static version it should never be aware of any updates ever. As far as the app is concerned you're on the latest version.

On vacation until Wed, then I'll push through the new patch and update the guide

update process works successfully and is unchanged from previous versions

update process for 2021.525.62 works successfully and is unchanged from previous versions

This is incredibly helpful! I didn't even know you could unpack the payload.bin lol. I'll be doing some work in the kitchen thanks to this!

For anyone who needs it, here is a patched boot.img for ATT Locked 2021_525_63

nevergrownup said:
For anyone who needs it, here is a patched boot.img for ATT Locked 2021_525_63
Click to expand...
Click to collapse
Can you send the link or tell me how you were able to get the boot.img? When I try to download the factory image from MS, it is still giving me 2021.419.71.
EDIT: The new "Surface Duo - 256GB - Android 10 - ATT - 2021.525.63" recovery image is available on the "Surface Recovery Image Download" page. Thanks nevergrownup for giving me the heads up on Reddit

Is anyone on 2021.525.63 having issues? I've followed the exact guide above, as well as using the newest Magisk version & attempting to boot the patched boot.img just leads my Duo to hang on the Microsoft logo. Just want to see if anyone else has an issue or it's just me.
Thanks.

Veritas06 said:
Is anyone on 2021.525.63 having issues? I've followed the exact guide above, as well as using the newest Magisk version & attempting to boot the patched boot.img just leads my Duo to hang on the Microsoft logo. Just want to see if anyone else has an issue or it's just me.
Thanks.
Click to expand...
Click to collapse
when flashing stock July, my lockscreen keypad is frozen. cant unlock t to use.

LocBox said:
when flashing stock July, my lockscreen keypad is frozen. cant unlock t to use.
Click to expand...
Click to collapse
That's on a fresh install or after flashing the Magisk-modified boot.img?
I'm about to restore with the recovery image & start this again, in case there's some different between OTA & recovery.
EDIT: Doing a factory reset, ADB sideload of the recovery image, creating the new Magisk boot.img, & booting still doesn't work. I'm going to try the guide's version one more time to use the older version of Magisk Manager & the custom channel, but based on previous experience, I'm not hopeful. I only bought this as a device to have fun with because it can be rooted, so I'm regretting this purchase right now =\

Veritas06 said:
That's on a fresh install or after flashing the Magisk-modified boot.img?
I'm about to restore with the recovery image & start this again, in case there's some different between OTA & recovery.
EDIT: Doing a factory reset, ADB sideload of the recovery image, creating the new Magisk boot.img, & booting still doesn't work. I'm going to try the guide's version one more time to use the older version of Magisk Manager & the custom channel, but based on previous experience, I'm not hopeful. I only bought this as a device to have fun with because it can be rooted, so I'm regretting this purchase right now =\
Click to expand...
Click to collapse
I do have the factory unlocked, not the ATT version. In my experience when your lockscreen touch input is not recognized, that happens when either the boot image doesn't match the factory image, or someone has used the factory unlocked boot on an ATT phone or vice-versa.
I'd try a dirty flash of the complete applicable factory images (not just boot/recovery) and then factory reset, then start again from the top. It's possible one of your updates didn't complete or something's become inconsistent between A/B

NTchrist said:
I do have the factory unlocked, not the ATT version. In my experience when your lockscreen touch input is not recognized, that happens when either the boot image doesn't match the factory image, or someone has used the factory unlocked boot on an ATT phone or vice-versa.
I'd try a dirty flash of the complete applicable factory images (not just boot/recovery) and then factory reset, then start again from the top. It's possible one of your updates didn't complete or something's become inconsistent between A/B
Click to expand...
Click to collapse
Thanks. I never even got far enough to see failed touch input, but may try rooting again this weekend. I wasn't able to ever get past the MS logo on boot, after attempting to fastboot boot the Magisk-modified boot.img.

I am in the same boat as Veritas is. My Duo is from ATT and hangs on the Microsoft logo as well. I am very new to rooting and what goes into it so a lot of this stuff I am seeing for the first time. How do I know if I have the correct boot? I went through the whole process of extracting the boot image from the recovery file for my phone off of the Microsoft website. Does that get me the right boot to use?

ThrowARoot said:
I am in the same boat as Veritas is. My Duo is from ATT and hangs on the Microsoft logo as well. I am very new to rooting and what goes into it so a lot of this stuff I am seeing for the first time. How do I know if I have the correct boot? I went through the whole process of extracting the boot image from the recovery file for my phone off of the Microsoft website. Does that get me the right boot to use?
Click to expand...
Click to collapse
It should, yes. Unfortunately I do not have an ATT phone to test against. You'd have to have someone else in the thread confirm it works on the ATT build. About the only thing you can do is boot to stock, and check that settings>about>build number matches the images you downloaded from microsoft (2021.525.62) at time of writing

Actually in checking my settings I noticed there was a new update available, so ignore the build number above just make sure the image you download matches the image on your device

NTchrist said:
Since the last guy hasn't been updating his op, I figured I'd start a fresh thread with what we know and what to do for newcomers.
I will not be posting patched boot images in this thread, I'm a firm believer of "give you steps to follow from the top so you know what's going on and can do this yourself in the future". The more hands we have in the kitchen, the more we learn, and the better we are off as a community.
Walkthroughs for both fresh rooting and updating while rooted are both below:
==== FRESH ROOT ====​
0. make sure USB debugging is on in settings > developer options
0. make sure the phone's bootloader is actually unlocked, if the below doesn't work, back up all the data on your phone because we're about to wipe it
Code:
.\fastboot.exe flashing unlock
.\fastboot.exe flashing unlock_critical
I did both, but it might only require one of the two, if you only did one and it doesn't work you may not be fully unlocked and might have to do the other. Both of these commands from the bootloader will factory reset your phone. if you've already done this, go to step 1.
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing and used in the below examples)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
6a. if you don't have python, get it from ninite https://ninite.com/pythonx3/ and go back to step 5/6 and try again
7. download the latest version of magisk manager (the new magisk app may work, but I've not tested it, this is the exact version I am using on the exact phone you are using. If you feel like trying the app please report in the thread below!) https://github.com/topjohnwu/Magisk/releases/download/manager-v8.0.7/MagiskManager-v8.0.7.apk
8. install magisk manager on your phone
9. make a text file, I called mine magisk_channel.txt and put this in it
Code:
https://raw.githubusercontent.com/Lethany/magisk_files/0755a7d5f596dc2a351270120b31b665fb561294/stable.json
this is the "custom" channel we are using to force an older version of magisk that doesn't choke on our device like newer versions do.
10. use usb data transfer mode to copy the boot.img file we extracted from step 6 and the text file we created in step 8 to your phone's internal storage, I have a folder on the root of the internal storage directory called Z_Phone, but anywhere is fine as long as you know where it is and remember it later.
11. in magisk manager, click the gear in the top right and then select "update channel" > "custom channel"
12. use your duo's dank duo mode to open a file browser on the other screen, open the text file we made in step 9
13. copy and paste the custom channel text into the custom channel field under update channel in magisk so it has the text from step 9 in it. (the text file just saves us typing it out by hand)
14. go back to the magisk main screen, and click install next to "magisk"
14b. click next
14c. click "select and patch a zip file"
14d. browse to the location we uploaded boot.img to in step 9 and select boot.img
14e. click let's go
(this will create the patched boot.img, it'll be named magisk_patched_[some garbage].img)
15. open the internal storage on your PC again, and go to your phone's "downloads" folder, it'll have that patched boot.img (if you've tried this a bunch of times and don't remember which one we just made, feel free to delete all the old ones and do 14-14e again) copy this patched_boot.img to your computer, I just put it in that same folder as step 4
16. in powershell, cd back to that same working folder we've been using and run
Code:
.\adb.exe reboot bootloader
The phone will reboot to the bootloader and we can now try booting the patched image
16. in powershell, run
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
17. if your phone boots, that's a great sign and we're out of the woods, nothing else will probably go wrong from here, if it doesn't boot factory reset your phone and start at step 0.
18. open an adb shell prompt and make our boot partitions writable with the below 4 lines, run one by one. Right now we're "rooted" but we've booted off an image over usb, what we really want is to boot off the images on your phone so we need to.
Code:
.\adb.exe shell
su
chmod 777 /dev/block/by-name/boot_a
chmod 777 /dev/block/by-name/boot_b
19. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
20. reboot your phone via the power button menu and if all went well, you're now rooted!
==== UPDATE WHILE ROOTED ====​
1. go here https://support.microsoft.com/en-us/surface-recovery-image put in your serial number (can be found in settings) and download the latest recovery image
2. download payload_dumper from here https://gist.github.com/ius/42bd02a.../48ffe1eee59af9a7da883d9ec7902d1507428dc4.zip
3. download the latest platform-tools from here https://developer.android.com/studio/releases/platform-tools
4. extract all three zips to the same folder, a folder on your desktop is fine, mine is just the name of the current MS zip archive (2021_314_91 at time of writing)
5. open powershell, and cd to that folder.
6. from the folder, run it like this
Code:
PS C:\wherever\your\****\is\2021_314_91> python.exe -m payload_dumper ./payload.bin
(this will extract a bunch of stuff, boot.img is all we care about today)
7. boot off of your old magisk patched boot image
Code:
.\adb.exe reboot bootloader
.\fastboot.exe boot ..\[LAST VERSION'S FOLDER]\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
8. write the old, unpatched boot partition to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/boot.img of=/dev/block/by-name/boot_b
(my unpatched boot image is in a folder called "Z_Phone" and my unpatched image in this example is called "boot.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/boot.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/boot of=/dev/block/by-name/boot_b
)
9. reboot
10. run the OTA update on your now freshly stock phone
11. use magisk to patch the new boot image same as in the first root instructions (14a-14e)
12. copy this patched image off of the phone and into our working directory. leave a copy of this on the phone (I put it in my Z_Phone folder)
13. reboot to bootloader (in powershell, in that same working folder we've been using run)
Code:
.\adb.exe reboot bootloader
14. Boot your phone using the patched boot image (in powershell, run)
Code:
.\fastboot.exe boot .\magisk_patched_[WHATEVER_YOURS_IS_NAMED].img
15. write the patched boot image to your boot partitions with the below lines, again run one by one
Code:
adb shell
su
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_a
dd if=/sdcard/[PATH TO IMAGE]/[PATCHED BOOT].img of=/dev/block/by-name/boot_b
(my patched boot image is in a folder called "Z_Phone" and my patched image is called "magisk_patched_ks4OZ.img" so my commands look like:
Code:
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_a
dd if=/sdcard/Z_Phone/magisk_patched_ks4OZ.img of=/dev/block/by-name/boot_b
)
16. reboot and you're updated and rooted!
Click to expand...
Click to collapse
Ok I am not sure what I am doing wrong and before anyone says anything is not my first or 10th phone I have rooted, first the so called image that you download from Microsoft is nothing but folders of useless text docs. and the patched magisk image in this thread says it works. I went through the whole set up it says the boot image was successfully done yet upon rebooting my device is not rooted. Can anyone help with this.

How To Guide [Guide] Xiaomi Mi Pad 5 MIUI12/13 ROOT Step-by-step - Pass SafetyNet, Widevine L1

Everything you do, you do at your own risk. I'm not responsible for all damages, this can also lead to loss of warranty.
Hi,
Probably many of you know how to do a Magisk install without TWRP, but this guide is for people who don't know and don't want to mess things up.
I will try to show you step by step how to do it.
Many thanks to:
kdrag0n
topjohnwu
Leave them a nice feedback
!!! Before we start make sure your device is unlocked, if you don't know how to do it below is link to official Xiaomi guide !!!
https://c.mi.com/thread-2262302-1-0.html
Requirement
Xiaomi Mi Flash ver. =>3-14-0 - Needed to install all adb drivers Download
ADB & Fastboot tools - Could be the one built into Mi Flash tool I'll use this to make it simple
Magisk =>24.2 - This software is base of our rooting process Download
SafetyNet Fix => 2.2.1 (Zygisk) - Needed to backdoor SafetyNet fail check, at the moment it is only working method for Mi Pad 5 Download Make sure you download the Zygisk version!
Boot.img - You can download from official MIUI website full flashable rom and separate boot.img file from there, or use my if your Miui version is China 13.0.5, EEA 13.0.3, Global 13.0.1
China 13.0.5​EEA 13.0.3​Global 13.0.1​​​Installation
To make it easier, Green color mean what you need to do on Tablet, Orange on PC
Unzip Mi Flash tool
Open folder and run XiaoMiFlash.exe, if window "Driver" won't pop-up click on the Driver tab and then "Install" button and close all windows.
Connect your tablet to computer, when your tablet ask how you want use USB, choose File Transfer/Android Auto
Copy to internal storage Magisk-v****.apk, safetynet-fix-v****.zip and boot.img
Open File Manager on your tablet find a folder where you copied all files, and install Magisk
Open Magisk app, and click on Install in section Magisk, then select "Select and Path a File", after that find your boot.img file and click on it
Click "LET'S GO" button on the right side and wait until process will be finished
On your computer in the tablet's storage window, go to the file specified in the application probably /Download/magisk_patched-*****
Copy this file to a subfolder of Mi Flash on your computer, exactly to MiFlash2020-3-14-0\Source\ThirdParty\Google\Android and change the name of this file to boot.img
Open PowerShell/Windows Terminal in this folder (Hold Shift + Right click -> Open PowerShell window here)
Make sure your tablet have enabled USB debugging in Developer options Setting -> Additional settings -> Developer options -> USB debugging
Turn off your tablet, then hold down Power and VOL- until the screen lights up, then release power button, if Fastboot appears, everything went fine
Go back to your Terminal window and type to check if your computer see your tablet
Code:
./fastboot.exe devices
If you see answer "******** fastboot" it mean there is communication between PC and Tablet
Next type this command to flash patched boot image
Code:
./fastboot.exe flash boot boot.img
Next type this command to reboot your device
Code:
./fastboot.exe reboot
Restart can take a longer time than normal
Open Magisk app and check status of Magisk, if you see for exaple "Installed 24.2 (24200)" everything went fine
Open Settings in right corner of app and in section App click on Hide the Magisk app then type name for hidden app, it will ask to install new app so do it
Open again Magisk app and open Settings in section Magisk enable Zygisk (Beta) and Enforce DenyList
Click on Configure DenyList than click on three dots in right corner and uncheck Show system apps
Search for all the apps in the list below and check them. It is important to click on their name to see all modules, once you have done this click on the box to activate all of them
Code:
Google
Google Assistant (I have two)
Google Pay
Google Play services
Google Play Store
After that reboot your tablet, and open again Magisk app
On the bottom click on Modules
Click on Install from storage button and find file safetynet-fix-v*******.zip, than click on it
After that reboot your device one more time
After reboot open Android Settings go to Apps and Unhide system services than find and clear all data of Google Play services and Google Play Store
Reboot tablet last time
If you have reached this point it means that everything has gone correctly, probably for about 3 hours you will still not be able to install Netflix and some banking applications but after this time everything will be back to normal, this is because Google's servers have detected that Magisk has been installed but that the application has been changed and Zygisk has been enabled so at the next check it notices that everything is Ok and gives access back.
Quick explaination what happend here:
Magisk has been installed and device is Rooted
The application has been changed and hidden
Zygisk has been activated and hidden from Google services
SafetyNet-fix was installed, which restores the functionality of SafetyNet and Widevine L1, which is blocked after the installation of Magisk and unlocked Bootloader

Hello,
(I use google translate).
Thanks for your method. Before using it, I would like to ask you a few questions.
I have already rooted a few devices (mipad 1, mi phone, htc...) with my macbook and twrp.
The adb files are already installed on my mac.
1) once the pad 5 is rooted, should I, like on my phone, patch the new boot.img file with each update?
2) Could I install the twrp application afterwards to be able to do a complete backup of the system and possibly install a version of lineageos later?
3) Is there a version of miflash unlock tool for mac os x?
4) Should I register or register on the xioami site before unlocking the boot?
Thank you in advance for your method and your answers.
Nux01

Nux01 said:
Hello,
(I use google translate).
Thanks for your method. Before using it, I would like to ask you a few questions.
I have already rooted a few devices (mipad 1, mi phone, htc...) with my macbook and twrp.
The adb files are already installed on my mac.
1) once the pad 5 is rooted, should I, like on my phone, patch the new boot.img file with each update?
2) Could I install the twrp application afterwards to be able to do a complete backup of the system and possibly install a version of lineageos later?
3) Is there a version of miflash unlock tool for mac os x?
4) Should I register or register on the xioami site before unlocking the boot?
Thank you in advance for your method and your answers.
Nux01
Click to expand...
Click to collapse
Hi Nux01,
1. Unfortunately yes, TWRP isn't supported for Pad 5 yet.
2. It won't work, TWRP app is only making a request to TWRP custom recovery, until it doesn't exist you can't even install custom ROM
3. It is, but i didn't test it yet on Pad 5, and I don't know if it will work with new decides because last release is from 20.07.2020.
https://github.com/francescotescari/XiaoMiToolV2/releases
4. Yes, you need Xiaomi account, also your device has to be logged in, and registered to unlock, Xiaomi made complete guide how to do this, link is on the top of this post.

Hello,
Thank you for your quick reply.
The latest version of Mitool does not work. On the other hand, with regard to version 20.7.21, it's OK.
What does it mean: "I do not know if it will work with new decides".
And to unlock the bootloader, I have to use the Xiaomitool V2 application?
Thanks again.
NUX01

Nux01 said:
Hello,
Thank you for your quick reply.
The latest version of Mitool does not work. On the other hand, with regard to version 20.7.21, it's OK.
What does it mean: "I do not know if it will work with new decides".
And to unlock the bootloader, I have to use the Xiaomitool V2 application?
Thanks again.
NUX01
Click to expand...
Click to collapse
I mean it's quite old release so it may not work with current unlock bootloader process on new devices like a Xiaomi 12, Xiaomi Pad 5 etc. I can't promise it won't brick your device, only confirmed method is by official Xiaomi tool.

Thank you
I'll wait a little bit before rooting my tablet.
Have a nice day.

Followed the instruction, worked like a charm. Although I had unknown "chinese sings" errors with the driver install it worked. By the way there is a newer version of the flashing tool.
Thanks for the effort of writing this down!

Hello,
I just managed to unlock the bootloader of my tablet "Pad 5".
I tried under Mac and Linux with Xiaomitool V2 without success (error 20036 and 20045).
I also tried with VirtualBox who did not recognize the tablet.
I succeeded with VMware and Windows 7 by testing different drivers and it worked.
I just root the tablet with Magisk.
On the other hand, is there the equivalent of TWRP to make a complete system backup. Apart from Titanium and MyBackup.
Thanks for your help.

thanks dude.
didn't try this yet, just wondering.
can't i just flash recovery and then flash magisk.apk?
thanks

Can i update ota to 13.0.2 after rooted? Just update and root again?

Cpanel10x said:
Can i update ota to 13.0.2 after rooted? Just update and root again?
Click to expand...
Click to collapse
You can update, but after that you need root again but with boot.img from 13.0.2

How to get the boot.img 13.0.2? I checked the 3GB Firmware and only found vendor_boot.img. Is it the same thing?

Never mind. I got the boot.img from here: https://miuirom.org/tablets/xiaomi-pad-5

Thomas Brown 99 said:
Never mind. I got the boot.img from here: https://miuirom.org/tablets/xiaomi-pad-5
Click to expand...
Click to collapse
boot.img for miui global 13.0.3(RKXINXM) isn't available there. Plz help...

Thanks for this awesome guide. Do you have some suggest about the magisk modules to install?

thanks, it just worked perfectly and your step by step guide is very handy and helpful. thanks so so much.

vjsaini00 said:
boot.img for miui global 13.0.3(RKXINXM) isn't available there. Plz help...
Click to expand...
Click to collapse
Today evening, I'll add more boot.img

kisielec said:
Today evening, I'll add more boot.img
Click to expand...
Click to collapse
eagerly waiting, Thanks

Hey there.
I have done everything above and i MIGHT have some problem. The problem with my problem is that its not really reproducable easily even for me.... Weird, I know!
Lets go into details:
Issue description: When I reboot my tablet it goes into "MIUI Recovery" window, on which I am offered to reboot the device or clean.... And when I reboot it goes back to the recovery screen again. Like a loop-hole.
....
But then if I leave it untouched for several minutes it reboots itself and launches the system properly finally...
When did it start: It first started after I performed this step:
24. Click on Install from storage button and find file safetynet-fix-v*******.zip, than click on it
25. After that reboot your device one more time
Click to expand...
Click to collapse
When I finally landed in the system I of course continued and performed further steps. After another reboot in step 27 the same thing happened but much, much longer.
I thought it somehow self fixed and works - once I am in the system. Right? So I did a reboot to test it. And no... recovery screen again for another 20 or so minutes until finally MIUI loaded fully.
Now I am afraid to turn off / reboot my tablet... I am afraid it might never finish booting next time.
Any ideas whats wrong and how to fix this weird and irregular behaviour?
My details:
Device: Xiaomi Pad 5 6/256gb
Original system was Chinese. I have reinstalled to Global one a version ago.
MIUI version currently running: 13.0.3(RKXMIXM)
Android version: 11 RKQ1.200826.002
Magisk version: 25.1 (25100) (32)
Magisk Modules: Universal SafetyNet Fix v2.2.1 (yes I made sure to download around Zygisk section)
Anything else I shall provide?

cysmaster said:
Hey there.
I have done everything above and i MIGHT have some problem. The problem with my problem is that its not really reproducable easily even for me.... Weird, I know!
Lets go into details:
Issue description: When I reboot my tablet it goes into "MIUI Recovery" window, on which I am offered to reboot the device or clean.... And when I reboot it goes back to the recovery screen again. Like a loop-hole.
....
But then if I leave it untouched for several minutes it reboots itself and launches the system properly finally...
When did it start: It first started after I performed this step:
When I finally landed in the system I of course continued and performed further steps. After another reboot in step 27 the same thing happened but much, much longer.
I thought it somehow self fixed and works - once I am in the system. Right? So I did a reboot to test it. And no... recovery screen again for another 20 or so minutes until finally MIUI loaded fully.
Now I am afraid to turn off / reboot my tablet... I am afraid it might never finish booting next time.
Any ideas whats wrong and how to fix this weird and irregular behaviour?
My details:
Device: Xiaomi Pad 5 6/256gb
Original system was Chinese. I have reinstalled to Global one a version ago.
MIUI version currently running: 13.0.3(RKXMIXM)
Android version: 11 RKQ1.200826.002
Magisk version: 25.1 (25100) (32)
Magisk Modules: Universal SafetyNet Fix v2.2.1 (yes I made sure to download around Zygisk section)
Anything else I shall provide?
Click to expand...
Click to collapse
I also have this module installed without problems, as there is no recovey for Pad5, it is a good idea to install in magisk the module Magisk Bootloop Protector, which serves exactly to prevent what you are afraid that happen with your tablet

Teclast M40 Pro Discoveries

Teclast M40 Pro Discoveries​Various helpful points of knowledge to unlock your bootloader, to root, and use your tablet.
Problem: Where can I obtain the official firmware?
Solution: Teclast Website
Usage: type M1A3 in search
Problem How can I unpack "pac" files?
Solution: Build C utility divinebird / pacextractor
Solution: Download pre built Linux executable pacextractor.zip
Usage: >./pacextractor Firmware.pac
Bash:
git clone https://github.com/divinebird/pacextractor
cd pacextractor
make
Problem: I need tools to flash my device
Solution: Download the latest SPD Upgrade Flash Tool SPD_Upgrade_Tool
Problem: msvcr100.dll missing error in Windows whilst running SPD (Factory/Research/Upgrade) Tools
Solution: Download and install 2010 Visual C++ Distribution
Problem: I want to unlock my bootloader. (Window and Linux kit)
Solution: Download TeclastM40Pro_Unisoc_UnlockTools.zip
Usage: Read readme file.
Problem: How can I remove the dm_verify warning on boot up after unlocking the bootloader?
Untested Solution: digitally sign the vbmeta partition and write it back. See [Tutorial] How to create a custom signed vbmeta.img
Problem: I want to root my device.
Solution: Modify boot.img with Magisk, then sign.
Usage: Upload to your device's download directory, the current boot.img read from your device, or from the same version firmware. Then install Magisk app from here. Use Magisk to patch the boot.img. Sign the partition. Then flash back the signed magisk version of boot.img to "boot_a" partition. Guide to flashing single partition at Hovatek Website
Problem: I need to emergency flash my device?
Solution: Currently only from Windows, use SPD Upgrade Tools to reflash firmware.
Usage: From the tablet powered off, or if boot looping. Hold down the power-button and volume-down for five seconds, release the power-button, and keep the volume-down button still held for another five seconds, then release or release if the detected earlier. Windows and SPD tools should then detect your device to flash.
Problem: I want to improve my Telcast M40 Pro
Solution: List of suggested apps below;
FDroid App Store F-Droid Website
Aurora > via FDroid. App store allowing the direct download from Google Playstore, without your own account.
Lawnchair > via FDroid. Fast open source sophisticated launcher.
AdAway > via FDroid. Removes adverts whilst using apps.
TrackerControl > via FDroid. Manages apps access to internet, and blocks spyware and trackers.
.

Problem: I want root mode without the effort of hacking a rom partition.
Solution: For those with World version Teclast M40 Pro device, here is a signed rooted boot partition I created. Read the readme file inside the zip. You will require an unlocked device, windows setup with USB drivers for Teclast, the complete firmware from Teclast website, and SPD Update Tools installed. If you're successful, then on rooting you will need to install Magisk app to get root active. Magisk will reboot once to finalise.
Download : TeclastM40Pro_ROW__v1p0_signedboot_magiskrooted.zip
Download : TeclastM40Pro_ROW__v1p2_signedboot_magiskrooted.zip

SPD Upgrade Tools is closing while trying to flash stock firmware, both with M40 Pro locked and unlocked bootloader. What should i do?

laurorual said:
SPD Upgrade Tools is closing while trying to flash stock firmware, both with M40 Pro locked and unlocked bootloader. What should i do?
Click to expand...
Click to collapse
Sorry for replying late. I got no indication of the response. To the problem, I can only suggest getting a different version of SPD or m aking sure your computer system is properly updated. I hope you've already solved the issue!
Maybe you're experiencing, "Problem: msvcr100.dll missing error in Windows whilst running SPD (Factory/Research/Upgrade) Tools" See above for solution.

I've noticed a new ROM for world edition, "M40 Pro(M1A3)_Android 11.0_ROW V1.02_20220525", but not getting any system update options for OTA. People flashing their systems may want the latest firmware!

Thanks to your Magisk file I was able to root my tablet, but when updating to the latest version it goes into bootloop, I have tried updating the original firmware image again, but it also goes into bootloop.
Is there any way to install Magisk modules?
Thanks for your post, it helped me a lot to unlock my tablet.
Edit: My version is the M1A1 firmware V1.03_20210804
Edit 2: Finally, when updating my tablet with the root file that is in the post, it did not allow me to install any Magisk module, the solution is to download version 24.3, and update automatically, without changing to a higher version of Magisk

Glad you worked it out Miny !!! Sorry the warning emails for new posts have been going to a gmail account I no longer use.
Also your hardware maybe different and require it's own unique firmware and boot images. It seems the cracking in similar though.

Some questions:
Do I need to unlock my bootloader in order to be able to get root with magisk?
The tools for unlocking the bootloader uses
Code:
fastboot flashing unlock_bootloader
. My version of fastboot (33.0.3p1-android-tools) doesn't have that command. The included one (0.0.0-09219) does, but I wan't to be careful about running softwar from untrusted sources. Where is that version of fastboot from?
Does any of the steps necessary to get root access delete my data?

Hi there.
I have a m40pro (M1A1) running android 11, do you know if I can install firmware Z3A1 to get android 12? Or will be bricked?
Thanks in advance

rubsbcn said:
I have a m40pro (M1A1) running android 11, do you know if I can install firmware Z3A1 to get android 12? Or will be bricked? Thanks in advance
Click to expand...
Click to collapse
To tell you the truth, not sure. Most SoC are impossible or near impossible to brick. They usually allow for an injection or have a read only boot section. Other words you could test. Also research difference in hardware between models, and that may indlicate if something may not work. The kernel/drivers are the improtant aspect.

jorkusjorkus said:
Some questions:
Do I need to unlock my bootloader in order to be able to get root with magisk?
The tools for unlocking the bootloader uses
Code:
fastboot flashing unlock_bootloader
. My version of fastboot (33.0.3p1-android-tools) doesn't have that command. The included one (0.0.0-09219) does, but I wan't to be careful about running softwar from untrusted sources. Where is that version of fastboot from?
Does any of the steps necessary to get root access delete my data?
Click to expand...
Click to collapse
What OS are you using? Google is constantly changing Android Studio and the added modules. Then others may build with options removed. Personally I use Archlinux and load up standalone android-tools from the community repository. Currently v33.0.3-3
Try fastboot --help
Your version may have
Code:
fastboot flashing unlock_critical

minyfriki said:
Thanks to your Magisk file I was able to root my tablet, but when updating to the latest version it goes into bootloop, I have tried updating the original firmware image again, but it also goes into bootloop.
Click to expand...
Click to collapse
What I found works, is when using SPD Research Tool, load up the firmware.pac and then go into settings and click "Select All Files" and again to unselect, which leaves the default required items.
Then manually change BOOT to the Magisk img. Then click on all VBMETA types, and UBOOT_LOADER (may not be required though). Then flash.
You should get bootable tablet (no looping). Warning: UserData partition is written over.
I'll share my Magisk image for v1.2

e8hffff said:
What OS are you using? Google is constantly changing Android Studio and the added modules. Then others may build with options removed. Personally I use Archlinux and load up standalone android-tools from the community repository. Currently v33.0.3-3
Try fastboot --help
Your version may have
Code:
fastboot flashing unlock_critical
Click to expand...
Click to collapse
I'm using the same version as you on the same OS. After some research it seems like unlock_bootloader was removed in this commit from 2018. From what I can tell, unlock_critical does something else (unlock_bootloader runs
Code:
fb_queue_download("unlock_message", data, sz); fb_queue_command("flashing unlock_bootloader", "unlocking bootloader");
while unlock_critical runs
Code:
do_oem_command("flashing", "unlock_critical" and doesn't take the signature argument);
)
I'll see if I can compile the older version with the needed command.
What about my other questions?

Issue: Android not starting. I had the infinite restart when plugged in the usb. I tried to reload the installation package (succeeded), but didn't fixed the issue. Battery was not charging yet. When I started the Teclast M40 pro, the logo showed up, but the tablet turned off again.
Solution: I have disassembled the cover, unplugged the 5 pin plug from the battery for half hour and plugged again. When I tried to turn it on, everything was fine.

dougcwb said:
Solution: I have disassembled the cover, unplugged the 5 pin plug from the battery for half hour and plugged again. When I tried to turn it on, everything was fine.
Click to expand...
Click to collapse
Wow that's weird Doug. Remember this, if you don't already know, that you can do a cold start by holding down the power button for over 10 seconds, on most devices.
I guess you're running now on rooted tablet !!!

e8hffff said:
Wow that's weird Doug. Remember this, if you don't already know, that you can do a cold start by holding down the power button for over 10 seconds, on most devices.
I guess you're running now on rooted tablet !!!
Click to expand...
Click to collapse
I did the installation package process that the Teclast sent me. The last thing they told me to do was keep trying to install the package (wft?). Well, I just open the tablet, unplugged the battery for a while and after that it worked.
Maybe this resolved 2 things:
1-the battery was not properly connected in the first place, so when I plugged the 5 pin to the board it connected as it should.
2- Maybe there is a "memory" in the board attached to the battery that was bricked (or something like that) when I pulled off the plug, this memory was reseted.
BTW, when the tablet came to life again, the battery was at 87%.